Chapter 8 
Security 



KUROSE ROSS 


A note on the use of these ppt slides: 

We’ re making these slides freely available to all (faculty, students, readers). 
They’ re in PowerPoint form so you see the animations; and can add, modify, 
and delete slides (including this one) and slide content to suit your needs. 
They obviously represent a lot of work on our part. In return for use, we only 
ask the following: 

❖ If you use these slides (e.g., in a class) that you mention their source 
(after all, we’ d like people to use our book!) 

❖ If you post any slides on a www site, that you note that they are adapted 
from (or perhaps identical to) our slides, and note our copyright of this 
material. 


Computer 
N etwo r ki ng: A To p 
Down Approach 

6 th edition 

Jim Kurose, Keith Ross 
Addison-Wesley 
March 20 1 2 


Thanks and enjoy! JFK/KWR 

/g\AII material copyright 1996-2012 

^J.F Kurose and K.W. Ross, All Rights Reserved 


8-1 


Chapter 8: Network Security 

Chapter goals: 

understand principles of network security: 

■ cryptography and its many uses beyond “confidentiality” 

■ authentication 

■ message integrity 

security in practice: 

■ firewalls and intrusion detection systems 

■ security in application, transport, network, link layers 


Network Security 8-2 


Chapter 8 roadmap 


8. 1 What is network security? 

8.2 Principles of cryptography 

8.3 Message integrity, authentication 

8.4 Securing e-mail 

8.5 Securing TCP connections: SSL 

8.6 Network layer security: IPsec 

8.7 Securing wireless LANs 

8.8 Operational security: firewalls and IDS 
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What is network security? 


confidentiality : only sender, intended receiver should 
“understand” message contents 

■ sender encrypts message 

■ receiver decrypts message 

authentication: sender, receiver want to confirm identity of 
each other 

message integrity: sender, receiver want to ensure message 
not altered (in transit, or afterwards) without detection 

access and availability: services must be accessible and 
available to users 
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Friends and enemies: Alice, Bob, Trudy 

❖ well-known in network security world 

❖ Bob, Alice (lovers!) want to communicate “securely” 

❖ Trudy (intruder) may intercept, delete, add messages 


Alice 



channel data ' contro1 
messages 


AH 


Bob 
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data 



► data 
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Who might Bob, Alice be? 




... well, real-life Bobs and Alices! 

Web browser/server for electronic transactions 
(e.g., on-line purchases) 

on-line banking client/server 

DNS servers 

routers exchanging routing table updates 
other examples? 
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There are bad guys (and girls) out there! 


Q What can a “bad guy” do? 

A A lot! See section 1 .6 

■ eavesdrop: intercept messages 

■ actively insert messages into connection 

■ impersonation: can fake (spoof) source address in 
packet (or any field in packet) 

■ hijacking: “take over” ongoing connection by 
removing sender or receiver, inserting himself in 
place 

■ denial of service: prevent service from being used 
by others (e.g., by overloading resources) 
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Chapter 8 roadmap 


8. 1 What is network security? 

8.2 Principles of cryptography 

8.3 Message integrity, authentication 

8.4 Securing e-mail 

8.5 Securing TCP connections: SSL 

8.6 Network layer security: IPsec 

8.7 Securing wireless LANs 

8.8 Operational security: firewalls and IDS 
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The language of cryptography 
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K A (m) ciphertext, encrypted with key K A 
m = K B (K A (m)) 
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Breaking an encryption scheme 


cipher-text only attack: 
Trudy has ciphertext she 
can analyze 

two approaches: 

■ brute force: search 
through all keys 

■ statistical analysis 


known-plaintext attack: 
Trudy has plaintext 
corresponding to ciphertext 

■ e.g., in monoalphabetic 
cipher, Trudy determines 
pairings for a,l,i,c,e,b,o, 


chosen-plaintext attack: 
Trudy can get ciphertext for 
chosen plaintext 
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Symm etric key cryptogr aphy 
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m = K s (K s (m)) 


symmetric key crypto: Bob and Alice share same (symmetric) 
key: K s 

♦:♦ e.g., key is knowing substitution pattern in mono alphabetic 
substitution cipher 

Q how do Bob and Alice agree on key value? 
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Simple encryption scheme 


substitution cipher: substituting one thing for another 

■ monoalphabetic cipher: substitute one letter for another 

plaintext : abcdefghijklmnopqrstuvwxyz 

ciphertext : mnbvcxzasdfghjklpoiuytrewq 

e.g.: Plaintext: bob. i love you. alice 
ciphertext: nkn. s gktc wky. mgsbc 

Encryption key: mapping from set of 26 letters 

to set of 26 letters 
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A more sophisticated encryption approach 


n substitution ciphers, M|,M 2 ,...,M n 
cycling pattern: 


e.g., n=4: M I ,M 3 ,M 4 ,M 3 ,M 2 ; M I ,M 3 ,M 4 ,M 3 ,M 2 ; .. 


for each new plaintext symbol, use subsequent 
subsitution pattern in cyclic pattern 
■ dog: d from M , , o from M 3 , g from M 4 


Encryption key: n substitution ciphers, and cyclic 
pattern 

■ key need not be just n-bit pattern 
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Symmetric key crypto: DES 


DES: Data Encryption Standard 

❖ US encryption standard [NIST 1993] 

56-bit symmetric key, 64-bit plaintext input 

❖ block cipher with cipher block chaining 
how secure is DES? 

■ DES Challenge: 56-bit-key-encrypted phrase decrypted 
(brute force) in less than a day 

■ no known good analytic attack 

❖ making DES more secure: 

■ 3 DES: encrypt 3 times with 3 different keys 
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Symmetric key 
crypto: DES 


i— DES operation 

initial permutation 

16 identical “rounds” of 
function application, 
each using different 48 
bits of key 

final permutation 
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AES: Advanced Encryption Standard 


symmetric-key NIST standard, replacied DES 
(Nov 200 1 ) 

processes data in 1 28 bit blocks 
1 28, 1 92, or 256 bit keys 

brute force decryption (try each key) taking I sec 
on DES, takes 149 trillion years for AES 
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Public Key Cryptography 


symmetric key crypto 

❖ requires sender, receiver 
know shared secret key 

Q: how to agree on key in 
first place (particularly if 
never “met”)? 


- public key crypto 

❖ radically different 
approach [Diffie- 
Hellman76, RSA78] 

❖ sender, receiver do not 
share secret key 

❖ public encryption key 
known to all 

❖ private decryption key 
known only to receiver 
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Public key cryptography 


plaintext 
message, m* 
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Public key encryption algorithms 


requirements: 

(T) need !<+(■) and K_(-) such that 

K B ( K g(m)) = m 

( 2 ) given public key Kn, it should be 
impossible to compute private 
key K B 

RSA: Rivest, Shamir, Adelson algorithm 
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Prerequisite: modular arithmetic 


x mod n = remainder of x when divide by n 
facts: 

[(a mod n) + (b mod n)] mod n = (a+b) mod n 
[(a mod n) - (b mod n)] mod n = (a-b) mod n 
[(a mod n) * (b mod n)] mod n = (a*b) mod n 

❖ thus 

(a mod n) d mod n = a d mod n 

example: x= 14, n= 1 0, d=2: 

(x mod n) d mod n = 4 2 mod 10 = 6 
x d — 1 4 2 = 196 x d mod 10=6 
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RSA: getting ready 


message: just a bit pattern 

bit pattern can be uniquely represented by an integer 
number 

thus, encrypting a message is equivalent to encrypting a 
number. 

example: 

❖ m= 1 00 1 000 1 . This message is uniquely represented by 
the decimal number 145. 

to encrypt m, we encrypt the corresponding number, 
which gives a new number (the ciphertext). 
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RSA: Creating public/private key pair 


1 . choose two large prime numbers p, q. 

(e.g., 1 024 bits each) 

2. compute n = pq, z = ( p-l)(q-l ) 

3. choose e (with e<n) that has no common factors 
with z (e, z are “relatively prime”). 

4. choose d such that ed-l is exactly divisible by z. 
(in other words: ed mod z = / ). 

5. public key is (n,e). private key is (n,d). 

\ / v ^ t 
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RSA: encryption, decryption 

0. given (n,e) and ( n,d ) as computed above 

I . to encrypt message m ( <n ), compute 
c = m e mod n 


2. to decrypt received bit pattern, c, compute 
m = mod n 
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RSA example: 

Bob chooses p=5, q=7. Then n=35, z=24. 

e=5 (so e, z relatively prime). 
d=29 { so ed-1 exactly divisible by z). 

encrypting 8-bit messages. 


encrypt: 


bit p attern, m 


m e 

L -1- J 


00001000 12 ^ 24832 


c = m e mod n 

1 T 

17 


d 


decrypt: 


i . i \ ) 


jji = c 0 * mod n 


17 


481968572106750915091411825223071697 
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♦> ♦> ♦> 


Why does RSA work? 


must show that c d mod n = m 



= m 1 mod n 
= m 


Network Security 8-25 


RSA: another important property 

The following property will be very useful later: 
K B ( K g( m )) = m = K^K^m)) 


use public key first, use private key 
followed by first, followed by 

private key public key 

result is the same! 
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Why K B (Kg(m)) 


= m = K^K^ri))? 


follows directly from modular arithmetic: 


(m e mod n) d mod n = m ed mod n 

= m de mod n 
= (m d mod n) e mod n 
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Why is RSA secure? 

suppose you know Bob’ s public key (n,e). How 
hard is it to determine d? 

essentially need to find factors of n without 
knowing the two factors p and q 

■ fact: factoring a big number is hard 
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RSA in practice: session keys 


exponentiation in RSA is computationally 
intensive 

DES is at least 100 times faster than RSA 

use public key cryto to establish secure 
connection, then establish second key - 
symmetric session key - for encrypting data 

session key, K s 

❖ Bob and Alice use RSA to exchange a symmetric key K s 

❖ once both have K s , they use symmetric key cryptography 
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Chapter 8 roadmap 


8.1 What is network security? 

8.2 Principles of cryptography 

8.3 Message integrity, authentication 

8.4 Securing e-mail 

8.5 Securing TCP connections: SSL 

8.6 Network layer security: IPsec 

8.7 Securing wireless LANs 

8.8 Operational security: firewalls and IDS 
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Authentication 


Goal: Bob wants Alice to “prove” her identity to him 
Protocol apl.O: Alice says “I am Alice” 



Failure scenario?? 
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Authentication 


Goal: Bob wants Alice to “prove” her identity to him 
Protocol apl.O: Alice says “I am Alice” 




in a network, 

Bob can not “see” Alice, 
so Trudy simply declares 
herself to be Alice 
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Authentication: another try 


Protocol ap2. 0: Alice says “I am Alice” in an IP packet 

containing her source IP address 



Alice’ s 
IP address 


I am Alice” 




I 5 


M 


Failure scenario?? 
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Authentication: another try 


Protocol ap2. 0: Alice says “I am Alice” in an IP packet 

containing her source IP address 




Trudy can create 
a packet 
“spoofing” 
Alice’ s address 
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Authentication: another try 


Protocol ap3.0: Alice says “I am Alice” and sends her 

secret password to “prove” it. 



Alice’ s 

Alice’ s 

IP addr 

password 
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Failure scenario?? 
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Authentication: another try 


Protocol ap3.0: Alice says “I am Alice” and sends her 

secret password to “prove” it. 



Alice’ s 
IP addr 

Alice’ s 
password 

T m Alice” 








Alice’ s 
IP addr 

OK/ 


U>/ '! 





playback attack: T rudy 
records Alice’ s packet 
and later 

plays it back to Bob 


Alice’ s 
IP addr 


Alice’ s 
password 


T m Alice” 
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Authentication: yet another try 

Protocol ap3.l : Alice says “I am Alice” and sends her 

encrypted secret password to “prove” it. 



Alice’ s 

encrypted 

IP addr 

password 
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- 


Ml 


Failure scenario?? 
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Authentication: yet another try 

Protocol ap3.l : Alice says “I am Alice” and sends her 

encrypted secret password to “prove” it. 



Alice’ s 
IP addr 

encrypted 

password 

“f m Alice” 
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IP addr 

OK/ 
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v- S 



Alice’ s 
IP addr 


encrypted 

password 


f m Alice” 


record 

and 

playback 
still works! 
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Authentication: yet another try 

Goal: avoid playback attack 

nonce : number (R) used only once-in-a-lifetime 
ap4.0: to prove Alice “live”, Bob sends Alice nonce, R. Alice 

must return R, encrypted with shared secret key 




Failures, drawbacks? 


Alice is live, and 
only Alice knows 
key to encrypt 
nonce, so it must 
be Alice! 
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Authentication: ap5.0 


ap4.0 requires shared symmetric key 

can we authenticate using public key techniques? 
ap5.0: use nonce, public key cryptography 



“I am Alice” 



K a (R) 


send me your public key” 


t*- ip 

CX''if B °b computes 

K 1(k;<r)) = R 


'■i - 


M 



A v A' 
and knows only Alice 
could have the private 
key, that encrypted R 
such that 

k>a( r )) = r 
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ap5.0: security hole 


man (or woman) in the middle attack: Trudy poses as Alice 
(to Bob) and as Bob (to Alice) 
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encrypted with 
Alice’ s public key 


K T (m) 
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ap5.0: security hole 


man (or woman) in the middle attack: Trudy poses as Alice (to 
Bob) and as Bob (to Alice) 



difficult to detect: 

❖ Bob receives everything that Alice sends, and vice versa, 
(e.g., so Bob, Alice can meet one week later and recall 
conversation!) 

❖ problem is that Trudy receives all messages as well! 


Network Security 8-42 


Chapter 8 roadmap 


8.1 What is network security? 

8.2 Principles of cryptography 

8.3 Message integrity, authentication 

8.4 Securing e-mail 

8.5 Securing TCP connections: SSL 

8.6 Network layer security: IPsec 

8.7 Securing wireless LANs 

8.8 Operational security: firewalls and IDS 
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Digital signatures 


cryptographic technique analogous to hand-written 
signatures: 

❖ sender (Bob) digitally signs document, establishing 
he is document owner/creator. 

❖ verifiable, nonforgeable: recipient (Alice) can prove to 
someone that Bob, and no one else (including Alice), 
must have signed document 
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Digital signatures 


simple digital signature for message m: 

❖ Bob signs m by encrypting with his private key K B , 
creating “signed” message, K B (m) 
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Digital signatures 

❖ suppose Alice receives msg m, with signature: m, K B (m) 

❖ Alice verifies m signed by Bob by applying Bob’ s public key 
K b to K B (m) then checks K B (K B (m) ) = m. 

❖ If K B (K B (m) ) = m, whoever signed m must have used Bob’ s 
private key. 

Alice thus verifies that: 

■S Bob signed m 

no one else signed m 
S Bob signed m and not m ‘ 
non-repudiation: 

•S Alice can take m, and signature K B (m) to court and 
prove that Bob signed m 
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Message digests 


computationally expensive to 
public-key-encrypt long 
messages 

goal: fixed-length, easy- to- 
compute digital 
“fingerprint” 

❖ apply hash function H to 
m, get fixed size message 
digest, H(m). 



Hash function properties: 

❖ many-to-l 

❖ produces fixed-size msg 
digest (fingerprint) 

given message digest x, 
computationally infeasible to 
find m such that x = H(m) 
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Internet checksum: poor crypto hash function 


Internet checksum has some properties of hash function: 

^ produces fixed length digest ( 1 6 -bit sum) of message 
✓ is many-to-one 

But given message with given hash value, it is easy to find another 
message with same hash value: 


message ASCII format 

I O U 1 49 4F 55 31 
0 0.9 30 30 2E 39 

9 B O B 39 42 D2 42 


message ASCII format 

I O U 9 49 4F 55 39 
0 0.1 30 30 2E 31 

9 B O B 39 42 D2 42 


B2 Cl D2 AC — - different messages ^2 Cl D2 AC 

but identical checksums! 
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Digital signature = signed message digest 


Bob sends digitally signed 
message: 


Alice verifies signature, integrity 
of digitally signed message: 




equal 

9 
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Hash function algorithms 


♦:♦ MD5 hash function widely used (RFC 1321) 

■ computes 128-bit message digest in 4-step process. 

■ arbitrary 1 28-bit string x, appears difficult to construct 
msg m whose MD5 hash is equal to x 

SHA- 1 is also used 

■ US standard [NIST, FIPS PUB 180 - 1 ] 

■ 1 60-bit message digest 
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Recall: ap5.0 security hole 

man (or woman) in the middle attack: Trudy poses as Alice 
(to Bob) and as Bob (to Alice) 
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Trudy gets ^ — 

m = K^(K^(m)) 

sends m to Alice 
encrypted with 
Alice’ s public key 


K T (m) 
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Public-key certification 


motivation: Trudy plays pizza prank on Bob 

■ T rudy creates e-mail order: 

Dear Pizza Store, Please deliver to me four pepperoni 
pizzas. Thank you, Bob 

■ T rudy signs order with her private key 

■ Trudy sends order to Pizza Store 

■ Trudy sends to Pizza Store her public key, but says it’ s 
Bob’ s public key 

■ Pizza Store verifies signature; then delivers four 
pepperoni pizzas to Bob 

■ Bob doesn’ t even like pepperoni 
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Certification authorities 


certification authority (CA): binds public key to particular 
entity, E. 

E (person, router) registers its public key with CA. 

■ E provides “proof of identity” to CA. 

■ CA creates certificate binding E to its public key. 

■ certificate containing E’ s public key digitally signed by CA - CA 
says “this is E’ s public key” 


Bob’ s 0? 


public 


kj 1 1 

key K B 


*4 

iW 




CA (££=> certificate for 

^ate - 

key k ca Bob s public key, 


Bob’ s ^ 

. _ i j 


private 


identifying C.Xj'f 
information ^ 


signed by CA 
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Certification authorities 


when Alice wants Bob’ s public key: 

■ gets Bob’ s certificate (Bob or elsewhere). 

■ apply CA’ s public key to Bob’ s certificate, get Bob’ s 
public key 



1 digital 
signature 
(decrypt) 



► 


(3>s>Bob’s 
public 
K B key 
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Chapter 8 roadmap 


8.1 What is network security? 

8.2 Principles of cryptography 

8.3 Message integrity, authentication 

8.4 Securing e-mail 

8.5 Securing TCP connections: SSL 

8.6 Network layer security: IPsec 

8.7 Securing wireless LANs 

8.8 Operational security: firewalls and IDS 
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Secure e-mail 


❖ Alice wants to send confidential e-mail, m, to Bob. 



Alice: 

❖ generates random symmetric private key, K s 

❖ encrypts message with K s (for efficiency) 

❖ also encrypts K s with Bob’ s public key 

❖ sends both K s (m) and K B (K S ) to Bob 
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Secure e-mail 


❖ Alice wants to send confidential e-mail, m, to Bob. 



Bob: 

❖ uses his private key to decrypt and recover K s 

❖ uses K s to decrypt K s (m) to recover m 
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Secure e-mail (continued) 

❖ Alice wants to provide sender authentication message integrity 
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❖ Alice digitally signs message 

❖ sends both message (in the clear) and digital signature 


Network Security 8-58 


Secure e-mail (continued) 


❖ Alice wants to provide secrecy, sender authentication, 
message integrity. 


K 




A 



Alice uses three keys: her private key, Bob’ s public key, newly 
created symmetric key 
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Chapter 8 roadmap 


8.1 What is network security? 

8.2 Principles of cryptography 

8.3 Message integrity 

8.4 Securing e-mail 

8.5 Securing TCP connections : SSL 

8.6 Network layer security: IPsec 

8.7 Securing wireless LANs 

8.8 Operational security: firewalls and IDS 
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SSL: Secure Sockets Layer 


❖ widely deployed security 
protocol 

■ supported by almost all 
browsers, web servers 

■ https 

■ billions $/year over SSL 

❖ mechanisms: [Woo 1994], 
implementation: Netscape 

❖ variation -TLS: transport layer 
security, RFC 2246 

❖ provides 

■ confidentiality 

■ integrity 

■ authentication 


❖ original goals: 

■ Web e-commerce 
transactions 

■ encryption (especially 
credit-card numbers) 

■ Web-server authentication 

■ optional client 
authentication 

■ minimum hassle in doing 
business with new 
merchant 

❖ available to all TCP 
applications 

■ secure socket interface 
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SSL and TCP/IP 



normal application 


Application 


SSL 


TCP 


IP 


application with SSL 


❖ 


❖ 


SSL provides application programming interface 
(API) to applications 

C and Java SSL libraries/classes readily available 
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Could do something like PGP: 
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❖ but want to send byte streams & interactive data 

❖ want set of secret keys for entire connection 

❖ want certificate exchange as part of protocol: handshake phase 
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Toy SSL: a simple secure channel 


handshake: Alice and Bob use their certificates, 
private keys to authenticate each other and 
exchange shared secret 

key derivation: Alice and Bob use shared secret to 
derive set of keys 

data transfer: data to be transferred is broken up 
into series of records 

connection closure: special messages to securely 
close connection 
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Toy: a simple handshake 



MS: master secret 

EMS: encrypted master secret 


Toy: key derivation 

❖ considered bad to use same key for more than one 
cryptographic operation 

■ use different keys for message authentication code (MAC) and 
encryption 

four keys: 

■ K c = encryption key for data sent from client to server 

■ M c = MAC key for data sent from client to server 

■ K s = encryption key for data sent from server to client 

■ M s = MAC key for data sent from server to client 

❖ keys derived from key derivation function (KDF) 

■ takes master secret and (possibly) some additional random data 
and creates the keys 
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Toy: data records 

why not encrypt data in constant stream as we write it to 
TCP? 

■ where would we put the MAC? If at end, no message integrity 
until all data processed. 

■ e.g., with instant messaging, how can we do integrity check over 
all bytes sent before displaying? 

instead, break stream in series of records 

■ each record carries a MAC 

■ receiver can act on each record as it arrives 

issue: in record, receiver needs to distinguish MAC from 
data 

■ want to use variable-length records 


length 


data 


MAC 
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Toy: sequence numbers 

problem: attacker can capture and replay record 
or re-order records 

solution: put sequence number into MAC: 

■ MAC = MAC(M X , sequence||data) 

■ note: no sequence number field 

problem: attacker could replay all records 
solution: use nonce 
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Toy: control information 

problem: truncation attack: 

■ attacker forges TCP connection close segment 

■ one or both sides thinks there is less data than there 
actually is. 

solution: record types, with one type for closure 

■ type 0 for data; type I for closure 

MAC = MAC(M X , sequence||type||data) 


length 

type 

data 

MAC 
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encrypted 


Toy SSL: summary 



hello 

cer tificate, n once^ 

K b + (MS) = EM S 
Jype 0, seq 1 , ri at, 
type 0, seq 2, data 

n Qpn 1 , data 

type O^s 

seq 3, data 

iy&§JL_seg_4 i _close 
typeTseq^l^?- 


M 


bob.com 
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Toy SSL isrT t complete 

how long are fields? 
which encryption protocols? 
want negotiation? 

■ allow client and server to support different 
encryption algorithms 

■ allow client and server to choose together specific 
algorithm before data transfer 
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SSL cipher su ite 


cipher suite 

■ public-key algorithm 

■ symmetric encryption algorithm 

■ MAC algorithm 

SSL supports several cipher 
suites 

negotiation: client, server 
agree on cipher suite 

■ client offers choice 

■ server picks one 


common SSL symmetric 
ciphers 

■ DES - Data Encryption 
Standard: block 

■ 3DES - Triple strength: block 

■ RC2 - Rivest Cipher 2: block 

■ RC4 - Rivest Cipher 4: 
stream 

SSL Public key encryption 

■ RSA 
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Real SSL: handshake (I) 


Purpose 

1. server authentication 

2. negotiation: agree on crypto algorithms 

3. establish keys 

4. client authentication (optional) 
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Real SSL: handshake (2) 


1. client sends list of algorithms it supports, along with 
client nonce 

2. server chooses algorithms from list; sends back: 
choice + certificate + server nonce 

3. client verifies certificate, extracts server’ s public 
key, generates pre_master_secret, encrypts with 
server’ s public key, sends to server 

4 . client and server independently compute encryption 
and MAC keys from pre_master_secret and nonces 

5 . client sends a MAC of all the handshake messages 

6 . server sends a MAC of all the handshake messages 
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Real SSL: handshaking (3) 


last 2 steps protect handshake from tampering 

client typically offers range of algorithms, some 
strong, some weak 

man-in-the middle could delete stronger algorithms 
from list 

last 2 steps prevent this 

■ last two messages are encrypted 
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why two random nonces? 

suppose Trudy sniffs all messages between Alice 
& Bob 

next day, Trudy sets up TCP connection with 
Bob, sends exact same sequence of records 

■ Bob (Amazon) thinks Alice made two separate orders 
for the same thing 

■ solution: Bob sends different random nonce for each 
connection. This causes encryption keys to be different 
on the two days 

■ Trudy’ s messages will fail Bob’ s integrity check 
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SSL record protocol 




data 

fragment 

MAC 


record 

header 

encrypted 
data and MAC 



data 

fragment 

MAC 


record 

header 

encrypted 
data and MAC 


record header: content type; version; length 

MAC: includes sequence number, MAC key M x 
fragment: each SSL fragment 2 14 bytes (~I6 Kbytes) 


Network Security 8-77 







SSL record format 


1 byte 2 bytes 3 bytes 


content 

type 

SSL version 

length 


data 


MAC 


data and MAC encrypted (symmetric algorithm) 
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Real SSL 
connection 



everything 
henceforth 
is encrypted 


TCP FIN follows 
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Key derivation 


❖ client nonce, server nonce, and pre-master secret input 
into pseudo random-number generator. 

■ produces master secret 

❖ master secret and new nonces input into another 
random-number generator: “key block” 

■ because of resumption: TBD 

❖ key block sliced and diced: 

■ client MAC key 

■ server MAC key 

■ client encryption key 

■ server encryption key 

■ client initialization vector (IV) 

■ server initialization vector (IV) 
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Chapter 8 roadmap 


8.1 What is network security? 

8.2 Principles of cryptography 

8.3 Message integrity 

8.4 Securing e-mail 

8.5 Securing TCP connections: SSL 

8.6 Network layer security: IPsec 

8.7 Securing wireless LANs 

8.8 Operational security: firewalls and IDS 
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What is network-layer confidentiality ? 


between two network entities: 

❖ sending entity encrypts datagram payload, payload 
could be: 

■ TCP or UDP segment, ICMP message, OSPF message .... 

all data sent from one entity to other would be 
hidden: 

■ web pages, e-mail, P2P file transfers, TCP SYN packets 
• • • 

“blanket coverage” 
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Virtual Private Networks (VPNs) 

motivation: 

❖institutions often want private networks for security. 

■ costly: separate routers, links, DNS infrastructure. 

❖VPN: institution’s inter-office traffic is sent over 
public Internet instead 

■ encrypted before entering public Internet 

■ logically separate from other traffic 


Network Security 8-83 


Virtual Private Networks (VPNs) 



headquarters 


Network Security 
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IPsec services 


data integrity 
origin authentication 
replay attack prevention 
confidentiality 

two protocols providing different service models: 

■ AH 

■ ESP 
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IPsec transport mode 



IPsec datagram emitted and received by end-system 
protects upper level protocols 
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IPsec - tunneling mode 



IPsec IPsec 

edge routers IPsec- 
aware 




❖ hosts IPsec-aware 
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Two IPsec protocols 


Authentication Header (AH) protocol 

■ provides source authentication & data integrity but not 
confidentiality 

Encapsulation Security Protocol (ESP) 

■ provides source authentication, data integrity, and 
confidentiality 

■ more widely used than AH 
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Four combinations are possible! 


Host mode 
with AH 

Host mode 
with ESP 

Tunnel mode 
with AH 

Tunnel mode 
with ESP 


most common and 
most important 
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Security associations (SAs) 

before sending data, “security association (SA)” 
established from sending to receiving entity 

■ SAs are simplex: for only one direction 

ending, receiving entitles maintain state information 
about SA 

■ recall: TCP endpoints also maintain state info 

■ IP is connectionless; IPsec is connection-oriented! 

how many SAs in VPN w/ headquarters, branch 
office, and n traveling salespeople? 
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♦> 4^4 4^4 


Example SA from Rl to R2 


headquarters Internet 

200 . 168 . 1.100 193 . 
d i security association 

R2 

R I stores for SA: 

❖ 32-bit SA identifier: Security Parameter Index (SPI) 

❖ origin SA interface (200. 1 68. 1 . 1 00) 
destination SA interface (193.68.2.23) 
type of encryption used (e.g., 3DES with CBC) 
encryption key 

❖ type of integrity check used (e.g., HMAC with MD5) 

❖ authentication key 




branch office 



172 . 16 . 2/24 
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Security Association Database (SAD) 


❖ endpoint holds SA state in security association 
database (SAD), where it can locate them during 
processing. 

with n salespersons, 2 + 2n SAs in Rl’ s SAD 

❖ when sending IPsec datagram, Rl accesses SAD to 
determine how to process datagram. 

❖ when IPsec datagram arrives to R2, R2 examines 
SPI in IPsec datagram, indexes SAD with SPI,and 
processes datagram accordingly. 
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IPsec datagram 


focus for now on tunnel mode with ESP 


enchilada” authenticated 
encrypted 


new IP 

ESP 

original 

Original IP 

ESP 

ESP 

header 

hdr 

IP hdr 

datagram payload 

trl 

auth 
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What happens? 


headquarters 

Internet 

branch office 


200 . 168 . 1.100 193 . 68 . 2.23 


R1 

security association 


R2 


172 . 16 . 1/24 

172 . 16 . 2/24 



“enchilada” authenticated ► 


encrypted 


new IP 

ESP 

original 

Original IP 

ESP 

ESP 

header 

hdr 

IP hdr 

datagram payload 

trl 

auth 


SPI 


Seq 

# 
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Rl: convert original datagram to IPsec datagram 


❖ appends to back of original datagram (which includes original 
header fields!) an “ESP trailer” field. 

encrypts result using algorithm & key specified by SA. 

appends to front of this encrypted quantity the “ESP header, 
creating “enchilada”. 

creates authentication MAC over the whole enchilada, using 
algorithm and key specified in SA; 

appends MAC to back of enchilada, forming payload ; 

creates brand new IP header, with all the classic IPv4 header 
fields, which it appends before payload. 
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Inside the enchilada: 


“enchilada” authenticated ► 


encrypted 



❖ ESP trailer: Padding for block ciphers 

❖ ESP header: 

■ SPI, so receiving entity knows what to do 

■ Sequence number, to thwart replay attacks 

❖ MAC in ESP auth field is created with shared secret key 
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I Psec sequence numbers 


for new SA, sender initializes seq. # to 0 

each time datagram is sent on SA: 

■ sender increments seq # counter 

■ places value in seq # field 

❖ goal: 

■ prevent attacker from sniffing and replaying a packet 

■ receipt of duplicate, authenticated IP packets may 
disrupt service 

method: 

■ destination checks for duplicates 

■ doesn’t keep track of all received packets; instead uses 

a window Network Security 8-97 


♦> ♦> ♦> ♦> 


Security Policy Database (SPD) 

policy: For a given datagram, sending entity needs 
to know if it should use IPsec 

needs also to know which SA to use 

■ may use: source and destination IP address; protocol 
number 

info in SPD indicates “what” to do with arriving 
datagram 

info in SAD indicates “how” to do it 
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Summary: IPsec services 



suppose Trudy sits somewhere between Rl and 
R2. she doesn’ t know the keys. 

■ will Trudy be able to see original contents of 
datagram? How about source, dest IP address, 
transport protocol, application port? 

■ flip bits without detection? 

■ masquerade as Rl using Rl’ s IP address? 

■ replay a datagram? 
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IKE: Internet Key Exchange 


❖ previous examples: manual establishment of IPsec SAs in 
IPsec endpoints: 

Example SA 
SPI: 12345 


Source IP: 200.168.1.100 
Dest IP: 193.68.2.23 
Protocol: ESP 

Encryption algorithm: 3DES-cbc 
HMAC algorithm: MD5 
Encryption key: 0x7aeaca... 

HMAC key:0xc0291f... 

❖ manual keying is impractical for VPN with 1 00s of 
endpoints 

❖ instead use IPsec IKE (Internet Key Exchange) 
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IKE: PSK and PKI 


authentication (prove who you are) with either 

■ pre-shared secret (PSK) or 

■ with PKI (pubic/private keys and certificates). 

PSK: both sides start with secret 

■ run IKE to authenticate each other and to generate IPsec 
SAs (one in each direction), including encryption, 
authentication keys 

PKI: both sides start with public/private key pair, 
certificate 

■ run IKE to authenticate each other, obtain IPsec SAs (one 
in each direction). 

■ similar with handshake in SSL. 
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IKE phases 


IKE has two phases 

■ phase I: establish bi-directional IKE SA 

• note: IKE SA different from IPsec SA 

• aka ISAKMP security association 

■ phase 2: ISAKMP is used to securely negotiate IPsec 
pair of SAs 

phase I has two modes: aggressive mode and 
main mode 

■ aggressive mode uses fewer messages 

■ main mode provides identity protection and is more 
flexible 
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IPsec summary 


IKE message exchange for algorithms, secret keys, 
SPI numbers 

either AH or ESP protocol (or both) 

■ AH provides integrity, source authentication 

■ ESP protocol (with AH) additionally provides 
encryption 

IPsec peers can be two end systems, two 
routers/firewalls, or a router/firewall and an end 
system 


Network Security 8-103 


Chapter 8 roadmap 


8.1 What is network security? 

8.2 Principles of cryptography 

8.3 Message integrity 

8.4 Securing e-mail 

8.5 Securing TCP connections: SSL 

8.6 Network layer security: IPsec 

8 . 7 Securing wireless LANs 

8.8 Operational security: firewalls and IDS 
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WEP design goals 

symmetric key crypto 

■ confidentiality 

■ end host authorization 

■ data integrity 

self-synchronizing: each packet separately encrypted 

■ given encrypted packet and key, can decrypt; can 
continue to decrypt packets when preceding packet was 
lost (unlike Cipher Block Chaining (CBC) in block 
ciphers) 

❖ Efficient 

■ implementable in hardware or software 
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Review: symmetric stream ciphers 



keystream 

generator 


* keystream 


❖ combine each byte of keystream with byte of plaintext to get 
ciphertext: 

■ m(i) = ith unit of message 

■ ks(i) = ith unit of keystream 

■ c(i) = ith unit of ciphertext 

■ c(i) = ks(i) © m(i) (© = exclusive or) 

■ m(i) = ks(i) © c(i) 

❖ WEP uses RC4 
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Stream cipher and packet independence 


recall design goal: each packet separately encrypted 

❖ if for frame n+ 1 , use keystream from where we left off for 
frame n, then each frame is not separately encrypted 

■ need to know where we left off for packet n 

❖ WEP approach: initialize keystream with key + new IV for 
each packet: 


Key+IV packet 


keystream 

generator 


* keystream packet 
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WEP encryption ( I ) 

❖ sender calculates Integrity Check Value (ICV) over data 

■ four-byte hash/CRC for data integrity 

❖ each side has 1 04-bit shared key 

❖ sender creates 24-bit initialization vector (IV), appends to key: gives 
1 28-bit key 

❖ sender also appends keylD (in 8-bit field) 

❖ 1 28-bit key inputted into pseudo random number generator to get 
keystream 

❖ data in frame + ICV is encrypted with RC4: 

■ B\bytes of keystream are XORed with bytes of data & ICV 

■ IV & keylD are appended to encrypted data to create payload 

■ payload inserted into 802.1 I frame 




encrypted 






IV 

Key 

ID 

data 

ICV 



MAC payload 
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WEP encryption (2) 


IV 


(per frame) 



K s : 104-bit 

— ► 

key sequence generator 

secret 

— ► 

( for given K s , IV) 


by mine me 

k 1 ,v 

k 2 ,v 

k 3 ,v . 

k IV 

. . k n 

k IV 

k N+1 • 

k IV 

• • k N+1 

plaintext 

© 

© 

© 

© 

© 

© 

frame data 

— ►d. 

d2 

d 3 ... 

d N 

CRCi .. 

. crc 4 


plus CRC iii ii i 

* * * * * * 

Cl C2 C3 ... Cn C N +1 ... Cn +4 


new IV for each frame 


802.11 

IV 

WEP-encrypted data 

header 

plus ICV 
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WEP decryption overview 




encrypted 






IV 

Key 

ID 

data 

ICV 



MAC payload 


receiver extracts IV 

❖ inputs IV, shared secret key into pseudo random 
generator, gets keystream 

XORs keystream with encrypted data to decrypt data + 
ICV 

verifies integrity of data with ICV 

■ note: message integrity approach used here is different 
from MAC (message authentication code) and 
signatures (using PKI). 
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End-point authentication w / nonce 


Nonce: number (R) used only once -in-a-lifetime 

How to prove Alice live ”: Bob sends Alice nonce, R. Alice 

must return R, encrypted with shared secret key 




Alice is live, and only 
Alice knows key to 
encrypt nonce, so it 
must be Alice! 
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WEP authe ntication 

authentication request 

nonce (128 bytes) 


nonce encrypted shared key 



< 2 . i ^ > 



success if decrypted value equals nonce 


Notes: 

❖ not all APs do it, even ifWEP is being used 

❖ AP indicates if authentication is necessary in beacon frame 

❖ done before association 
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Breaking 802.1 I WEP encryption 

security hole: 

❖ 24-bit IV, one IV per frame, -> IV’ s eventually reused 

❖ IV transmitted in plaintext -> IV reuse detected 

attack: 

■ Trudy causes Alice to encrypt known plaintext d| d 2 d 3 d 4 
• • • 

■ Trudy sees: Cj = dj XOR. kj lv 

■ Trudy knows Cj dj, so can compute kj v 

■ T rudy knows encrypting key sequence k| v k 2 v k 3 v . . . 

■ Next time IV is used, Trudy can decrypt! 
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802.1 li: improved security 


numerous (stronger) forms of encryption possible 
provides key distribution 

uses authentication server separate from access 
point 
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802. 1 I i: four phases of operation 


STA: 

client station 


◄ * 

(T) Discovery of 
security capabilities 


@ STA and AS mutually authenticate, together 

generate Master Key (MK). AP serves as “pass through 



AP: access point 

tr 



AS: 

Authentication 

server 


(3) STA derives 
Pairwise Master 
Key (PMK) 


( 3 ) AS derives 
same PMK, 
sends to AP 


◄ ► 

(?) STA, AP use PMK to derive 

Temporal Key (TK) used for message 
encryption, integrity 
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EAP: extensible authentication protocol 

EAP: end-end client (mobile) to authentication server 
protocol 

EAP sent over separate “links” 

■ mobile-to-AP (EAP over LAN) 

■ AP to authentication server (RADIUS over UDP) 
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Chapter 8 roadmap 


8.1 What is network security? 

8.2 Principles of cryptography 

8.3 Message integrity 

8.4 Securing e-mail 

8.5 Securing TCP connections: SSL 

8.6 Network layer security: IPsec 

8.7 Securing wireless LANs 

8.8 Operational security: prewalls and IDS 
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Firewalls 


|— firewall 

isolates organization’ s internal net from larger Internet, 
allowing some packets to pass, blocking others 



administered 

network 

trusted “good guys” 



firewall 


_ public 

Internet 

untrusted “bad guys” 
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Firewalls: why 

prevent denial of service attacks: 

❖ SYN flooding: attacker establishes many bogus TCP 
connections, no resources left for “real” connections 

prevent illegal modification/access of internal data 

❖ e.g., attacker replaces CIA’ s homepage with something else 
allow only authorized access to inside network 

❖ set of authenticated users/hosts 
three types of firewalls: 

❖ stateless packet filters 

❖ stateful packet filters 

❖ application gateways 
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Stateless packet filtering 



Should arriving 
packet be allowed in? 
Departing packet let^ 
out? 


❖ internal network connected to Internet via router firewall 

❖ router filters packet-by-packet, decision to forward/drop 
packet based on: 

■ source IP address, destination IP address 

■ TCP/UDP source and destination port numbers 

■ ICMP message type 

■ TCP SYN and ACK bits 
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Stateless packet filtering: example 

❖ example I: block incoming and outgoing datagrams with 
IP protocol field = 17 and with either source or dest 
port = 23 

■ result: all incoming, outgoing UDP flows and telnet 
connections are blocked 

❖ example 2: block inbound TCP segments with ACK=0. 

■ result: prevents external clients from making TCP 
connections with internal clients, but allows internal 
clients to connect to outside. 
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Stateless packet filtering: more examples 


Policy 

Firewall Setting 

No outside Web access. 

Drop all outgoing packets to any IP 
address, port 80 

No incoming TCP connections, 
except those for institution’ s 
public Web server only. 

Drop all incoming TCP SYN packets 
to any IP except 130.207.244.203, 
port 80 

Prevent Web-radios from eating 
up the available bandwidth. 

Drop all incoming UDP packets - 
except DNS and router broadcasts. 

Prevent your network from being 
used for a smurf DoS attack. 

Drop all ICMP packets going to a 
“broadcast” address (e.g. 
130.207.255.255). 

Prevent your network from being 
tracerouted 

Drop all outgoing ICMP TTL expired 
traffic 
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Access Control Lists 


♦ ACL: table of rules, applied top to bottom to incoming 
packets: (action, condition) pairs 


action 

source 

address 

dest 

address 

protocol 

source 

port 

dest 

port 

flag 

bit 

allow 

222.22/16 

outside of 

222.22/16 

TCP 

> 1023 

80 

any 

allow 

outside of 

222.22/16 

222.22/16 

TCP 

80 

> 1023 

ACK 

allow 

222.22/16 

outside of 

222.22/16 

UDP 

> 1023 

53 

— 

allow 

outside of 

222.22/16 

222.22/16 

UDP 

53 

> 1023 

— 

deny 

all 

all 

all 

all 

all 

all 
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Stateful packet filtering 


❖ stateless packet filter: heavy handed tool 

■ admits packets that “make no sense,” e.g., dest port = 
80, ACK bit set, even though no TCP connection 


establ 

shed: 

action 

source 

address 

dest 

address 

protocol 

source 

port 

dest 

port 

flag 

bit 

allow 

outside of 

222.22/16 

222.22/16 

TCP 

80 

> 1023 

ACK 


❖ stateful packet filter: track status of every TCP connection 

■ track connection setup (SYN), teardown (FIN): determine 
whether incoming, outgoing packets “makes sense” 

■ timeout inactive connections at firewall: no longer admit 
packets 
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Stateful packet filtering 

❖ ACL augmented to indicate need to check connection 
state table before admitting packet 


action 

source 

address 

dest 

address 

proto 

source 

port 

dest 

port 

flag 

bit 

check 

conxion 

allow 

222.22/16 

outside of 

222.22/16 

TCP 

> 1023 

80 

any 


allow 

outside of 

222.22/16 

222.22/16 

TCP 

80 

> 1023 

ACK 

X 

allow 

222.22/16 

outside of 

222.22/16 

UDP 

> 1023 

53 

— 


allow 

outside of 

222.22/16 

222.22/16 

UDP 

53 

> 1023 

— 

X 

deny 

all 

all 

all 

all 

all 

all 
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Application gateways 


filters packets on application 
data as well as on 
IP/TCP/UDP fields. 

example: allow select internal 
users to telnet outside. 


g ate way- to -remote 
host telnet session 
host-to-gateway / 



1 . require all telnet users to telnet through gateway. 

2. for authorized users, gateway sets up telnet connection to 
dest host. Gateway relays data between 2 connections 

3. router filter blocks all telnet connections not originating 
from gateway. 
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Application gateways 


filter packets on 
application data as well as 
on IP/TCP/UDP fields. 

example: allow select 
internal users to telnet 
outside 


host-to-gateway 

telnet session application 



1 . require all telnet users to telnet through gateway. 

2. for authorized users, gateway sets up telnet connection to 
dest host. Gateway relays data between 2 connections 

3. router filter blocks all telnet connections not originating 
from gateway. 
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Limitations of firewalls, gateways 


IP spoofing: router can’ t 
know if data “really” 
comes from claimed 
source 

if multiple app’ s. need 
special treatment, each has 
own app. gateway 

client software must know 
how to contact gateway. 

■ e.g., must set IP 
address of proxy in 
Web browser 


❖ filters often use all or 
nothing policy for UDP 

tradeoff: degree of 
communication with 
outside world, level of 
security 

❖ many highly protected 
sites still suffer from 
attacks 
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Intrusion detection systems 


packet filtering: 

■ operates on TCP/IP headers only 

■ no correlation check among sessions 

IDS: intrusion detection system 

■ deep packet inspection: look at packet contents (e.g., 
check character strings in packet against database of 
known virus, attack strings) 

■ examine correlation among multiple packets 

• port scanning 

• network mapping 

• DoS attack 
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Intrusion detection systems 

multiple IDSs: different types of checking at 
different locations 


firewall 



Internet 


IDS 

sensors 


demilitarized 

zone 
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Network Security (summary) 


basic techniques 

■ cryptography (symmetric and public) 

■ message integrity 

■ end-point authentication 

.... used in many different security scenarios 

■ secure email 

■ secure transport (SSL) 

■ IP sec 

■ 802. 1 I 

operational security: firewalls and IDS 
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